commit a300f146e5bf62588cc6af54c7effed8931b8baf
author Paul Duffin <paulduffin@google.com> Tue Jun 07 15:53:38 2016 +0100
committer gitbuildkicker <android-build@google.com> Tue Sep 27 14:51:53 2016 -0700
tree 4ba786b7b8046d955287afdecf8ca95c8e7666df
parent c1eb19e8169a66933c122408b2de15000aaa1eeb

Security Vulnerability - CVE-2012-6702 and CVE-2016-5300

Applies the patch from the bug. The change to CMakeLists.txt is
not applicable as Android does not use that to build expat. It
is not needed as it only applies to building for Windows.

Bug: 29149404
Change-Id: I557d2d5e5f338cd141db7f09fb2648f1be4cc8bc
(cherry picked from commit 3c2f09e63ae65adffdfe07164f872e454e338789)

lib/xmlparse.c

diff --git a/lib/xmlparse.c b/lib/xmlparse.c
index 18bfb7e..e12853c 100644
--- a/lib/xmlparse.c
+++ b/lib/xmlparse.c
@@ -6,7 +6,14 @@
 #include <string.h>                     /* memset(), memcpy() */
 #include <assert.h>
 #include <limits.h>                     /* UINT_MAX */
-#include <time.h>                       /* time() */
+
+#ifdef COMPILED_FROM_DSP
+#define getpid GetCurrentProcessId
+#else
+#include <sys/time.h>                   /* gettimeofday() */
+#include <sys/types.h>                  /* getpid() */
+#include <unistd.h>                     /* getpid() */
+#endif
 
 #define XML_BUILDING_EXPAT 1
 
@@ -432,7 +439,7 @@
 getElementType(XML_Parser parser, const ENCODING *enc,
                const char *ptr, const char *end);
 
-static unsigned long generate_hash_secret_salt(void);
+static unsigned long generate_hash_secret_salt(XML_Parser parser);
 static XML_Bool startParsing(XML_Parser parser);
 
 static XML_Parser
@@ -691,11 +698,38 @@
 };
 
 static unsigned long
-generate_hash_secret_salt(void)
+gather_time_entropy(void)
 {
-  unsigned int seed = time(NULL) % UINT_MAX;
-  srand(seed);
-  return rand();
+#ifdef COMPILED_FROM_DSP
+  FILETIME ft;
+  GetSystemTimeAsFileTime(&ft); /* never fails */
+  return ft.dwHighDateTime ^ ft.dwLowDateTime;
+#else
+  struct timeval tv;
+  int gettimeofday_res;
+
+  gettimeofday_res = gettimeofday(&tv, NULL);
+  assert (gettimeofday_res == 0);
+
+  /* Microseconds time is <20 bits entropy */
+  return tv.tv_usec;
+#endif
+}
+
+static unsigned long
+generate_hash_secret_salt(XML_Parser parser)
+{
+  /* Process ID is 0 bits entropy if attacker has local access
+   * XML_Parser address is few bits of entropy if attacker has local access */
+  const unsigned long entropy =
+      gather_time_entropy() ^ getpid() ^ (unsigned long)parser;
+
+  /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
+  if (sizeof(unsigned long) == 4) {
+    return entropy * 2147483647;
+  } else {
+    return entropy * 2305843009213693951;
+  }
 }
 
 static XML_Bool  /* only valid for root parser */
@@ -703,7 +737,7 @@
 {
     /* hash functions must be initialized before setContext() is called */
     if (hash_secret_salt == 0)
-      hash_secret_salt = generate_hash_secret_salt();
+      hash_secret_salt = generate_hash_secret_salt(parser);
     if (ns) {
       /* implicit context only set for root parser, since child
          parsers (i.e. external entity parsers) will inherit it